Forgot your password?
typodupeerror
Announcements Software Apache

Apache httpd 2.0.51 Released 15

Posted by timothy
from the now-with-more-patch dept.
djh101010 writes "apache.org has announced version 2.0.51 of their webserver, which is a bug-fix (rather than a feature) release. There are 5 security vulnerabilities addressed by this release, so if you're using mod_ssl, IPv6, or a couple other things, it's worth taking a look at what was fixed."
This discussion has been archived. No new comments can be posted.

Apache httpd 2.0.51 Released

Comments Filter:
  • mod_perl (Score:4, Interesting)

    by embobo (1520) on Wednesday September 15, 2004 @04:28PM (#10259745) Homepage
    Is mod_perl 2.0 ready for prime time yet? Last time I checked--a few months ago--the core was there but the mp 1.x emulation didn't work very well and some important modules, e.g., Apache::AuthCookie weren't ported yet. I went back to 1.x.
    • Re:mod_perl (Score:4, Informative)

      by djh101010 (656795) * on Wednesday September 15, 2004 @05:43PM (#10260420) Homepage Journal
      Can't speak to 2.0; I'm still using 1.99_16 myself, which seems to be playing nice with 2.0.50 and I assume 2.0.51 (building now).
      • Do we still need to recompile mod_*s with each new apache release or is the ABI stable enough to carry the binaries on?
        • Re:mod_perl (Score:2, Informative)

          by Anonymous Coward
          ABI is generally stable enough. Be careful about just replacing httpd / libhttpd.so though - because some of the security / bug fixes are in modules (or in libapr.so / libaprutil.so) and not the core.

          Third party modules should march happily on without being rebuilt.

          An obvious exception might be modperl which provides substantial coverage of entry points, constant #defines and other aspects of the core itself. It also relies on 'expected results' from alot of edge functions which weren't widely used (and
  • by molo (94384) on Wednesday September 15, 2004 @05:00PM (#10260006) Journal
    Here is the list of vulnerabilities. For more information (including a list of effected versions), see the Apache Week [apacheweek.com] listing.

    Does anyone have any information about whether the mod_ssl DoS vuln effects Apache 1.3.x as well? Thanks. -molo


    An input validation issue in IPv6 literal address parsing which can result in a negative length parameter being passed to memcpy.
    [CAN-2004-0786]

    A buffer overflow in configuration file parsing could allow a local user to gain the privileges of a httpd child if the server can be forced to parse a carefully crafted .htaccess file.
    [CAN-2004-0747]

    A segfault in mod_ssl which can be triggered by a malicious remote server, if proxying to SSL servers has been configured.
    [CAN-2004-0751]

    A potential infinite loop in mod_ssl which could be triggered given particular timing of a connection abort.
    [CAN-2004-0748]

    A segfault in mod_dav_fs which can be remotely triggered by an indirect lock refresh request.
    [CAN-2004-0809]
  • by troon (724114) on Thursday September 16, 2004 @03:22AM (#10263764)

    I've yet to try it out, but this release claims to allow the administrator to unset the previously-mandatory Content-Location header added when mod_negotiation is in play.

    This "feature" triggered an Opera "feature" that made in-document fragment anchors fail on dynamically generated, URL-rewritten documents.

    Full description [plus.com] of the problem. Hopefully 2.0.51 means I don't need to fiddle with the Apache source any more: I'll update the problem page if so.

  • by Anonymous Coward
  • by agent dero (680753) on Thursday September 16, 2004 @08:08PM (#10272832) Homepage
    Here at Texas A&M, IBM just gave a talk to our ULUG (Unix & Linux UG) about a project they use called "BogoSec" where they can get rough estimations of source security.

    The most drastic example of security problems was between vsftpd and wu-ftpd, but the presenter also showed some graphs for httpd 2.xxx releases, where the bugfix releases drastically improved the security.

    Hoorah for bugfix releases, they're always good.
  • I've been running this version on a box for a few days now and haven't seen any performance issues or outstanding bugs, so I would really recommend everyone upgraded asap.

    blog [homeip.net]

  • There's a patch for the security regression in 2.0.51. See CAN-2004-0811 and Apache Week for 9/23/2004 [apacheweek.com] Another Apache release 2.0.52 is coming down the pike to fix this and some minor issues.

    To quote ApacheWeek: One of the new features included in [Apache 2.0.51] is that a container can now be used to limit the effect of a Satisfy directive to specific methods. Unfortunately, a bug in the implementation meant that merging of Satisfy directives did not work correctly. The result was that if "Satisfy An

The sooner you fall behind, the more time you have to catch up.

Working...